Password Managers as Your Keychain

Mr. Laidback is perfectly comfortable reusing his same old password on of all of the site he visits. He understands and knows what a secure password is, but instead ops for using a combination of his pets name and birthday. When he’s forced to change his password, he adds the number “1” to the end of it in annoyance. Mr. Laidback doesn’t believe he is at any risk from reusing passwords since he believes his accounts are of little value to hackers anyway. Don’t be Mr. Laidback, be better.

Reusing a password is the equivalent of dropping a copy of your master key every time you walk through a new door. Now the solution to this is not to rekey the doors every six months, but to stop leaving your keys everywhere. As you transition into more responsible key management you are going to need a keychain.

Password managers are your Keychain

Not all password managers are created equal. They all do the basic functions, they generate passwords and then they store them. But the most important questions to ask when validating the security of a password manager are:

  1. Are your encryption keys stored locally? (and not cloud-based)
  2. Can you trust the code? (open source with verifiable builds)
1Password LastPass KeePass
Are your encryption keys stored locally? X X
Can you trust the code? X

Encryption Key Cloud Storage

The ability to store passwords on the cloud typically means you’ll have access to your passwords across browsers, networks, and devices. Each of the password three managers gives you the option of storing your password database to the cloud, but I assume for usability reasons, LastPass requires it. If you’re comfortable storing encrypted passwords on the cloud you might use LastPass. However, storing the encryption keys to those passwords on the cloud is another thing entirely.

A 1Password support post (2014) :

“The encrypted keys are stored with the data in the cloud. They are encrypted with keys derived from your Master Password. Your Master Password is not stored, but knowledge of it is required to be able to decrypt the keys that are used to encrypt the stored data.”

“You can read about the gory details of the key derivation, but that is a highly technical document.”

The link referanced now redirects to a general help page without any information on key derivation. But the Internet Archive Wayback Machine has a record of the previous listed sketchy key derivation mechanisms. Which for some reason they’ve removed. Not at all suspicious…

Do you trust 1Password to not store your Master Password and derived encryption key?

The correct answer is, you shouldn’t have to.

From a security perceptive, if trust and a legal agreement is the only thing protecting you you’re security sucks. Providers claim to protect your privacy in the details of their service agreements, but really you have no control over your private keys. You don’t know if an employee is going to go rogue, or if someone with shiny shoes is going to strut along “legally” requesting your encryption keys and decrypting your “private” data.

The only way to encrypt with confidence is keep control of your private keys at all times. In addition to this, KeyPass allows you to require a “key file” locally, a USB, or a specific manufactured authentication device.

KeePass help:

“KeePass stores your passwords securely in an encrypted file (database). This database is locked with a master password, a key file and/or the current Windows account details. To open a database, all key sources (password, key file, …) are required. Together, these key sources form the Composite Master Key.”

Requiring this file together with your master password, makes it slightly more difficult for an attacker to obtain your password database.

Open Source

In security there is no trust without transparency. How many experts have audited the code? Generally being open sourced means more auditing has occurred. But this is not always true, as is especially less true in the cryptography community where experts are few and far between. Open sourced code could also mean that it vulnerable to targeted attacks. Such as KeeFarce for KeePass.

To the extent that open source code can improve your degree of trust in a binary is in your ability to download and verify the binaries of the code. Open source means nothing when the source does not match the binary. No password management system is a silver bullet, they’re practical defenses against probable attack vectors.

For Mr. Laidback using any of these password managers would be a significant improvement to his daily security practices. But for you and me KeePass is the favorite. For anyone who’s skeptical I’ll walk though an alternative open source solution in the next blog post.